nf_conntrack: table full, dropping packet в dmesg
https://www.stableit.ru/2010/01/nfconntrack-table-full-dropping-packet.html
# sysctl -a | grep conntrack_max
net.ipv4.netfilter.ip_conntrack_max = 65536
net.netfilter.nf_conntrack_max = 65536
net.nf_conntrack_max = 65536
************************************************************
************************************************************
************************************************************
# sysctl -a | grep conntrack_max
net.ipv4.netfilter.ip_conntrack_max = 65536
net.netfilter.nf_conntrack_max = 65536
net.nf_conntrack_max = 65536
- mcedit /etc/sysctl.conf
net.ipv4.netfilter.ip_conntrack_max=1548576
- sysctl -p
Смотрим текущее значение (грузит проц)
- cat /proc/net/nf_conntrack | wc -l
Лучше сделать так
- apt-get install conntrack
Centos
- yum install -y conntrack-tools
Смотрим запросы
- conntrack -L
Смотрим топ запросов от IP
- /usr/sbin/conntrack -L |awk '{if ($5 ~ /src/) print $5; else if ($4 ~ /src/) print $4}' | sed "s/src=/ /g" | sort | uniq -c | sort -n | tail -n10
************************************************************
#NO TRACK FOR REAL SUBNETS
#Sub provider
#eth10.500 10.10.10.10/27
$IPT -t raw -A PREROUTING -i eth10.500 -d 20.20.20.20 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth10.500 -d 20.20.20.30 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth10.500 -d 20.20.20.40 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth10.500 -d 20.20.20.50 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth10.500 -d 20.20.20.60 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth10.500 -d 20.20.20.70 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth10.500 -j NOTRACK
$IPT -t raw -A OUTPUT -o eth10.500 -j NOTRACK
#UPLINK
#eth10.1001 20.20.50.20/29
#Allias for IPTV SRC-NAT
#eth11.4000:1 20.20.20.80/32
$IPT -t raw -A PREROUTING -i eth10.1001 -d 20.20.20.80 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth10.1001 -d 20.20.30.0/24 -j NOTRACK
$IPT -t raw -A PREROUTING -i eth10.1001 -d 20.20.40.0/24 -j NOTRACK
#Unknown
#eth10.3999 172.17.0.1/24
#eth10.3999:1 20.20.60.20/28
$IPT -t raw -A PREROUTING -i eth10.3999 -s 20.20.40.20/28 -j NOTRACK
#Accel
#eth11.4000 171.25.174.254/30
$IPT -t raw -A PREROUTING -i eth11.4000 -d 20.20.20.20 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth11.4000 -d 20.20.20.30 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth11.4000 -d 20.20.20.40 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth11.4000 -d 20.20.20.50 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth11.4000 -d 20.20.20.60 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth11.4000 -d 20.20.20.70 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth11.4000 -j NOTRACK
$IPT -t raw -A OUTPUT -o eth11.4000 -j NOTRACK
#Sub provider
#eth10.500 10.10.10.10/27
$IPT -t raw -A PREROUTING -i eth10.500 -d 20.20.20.20 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth10.500 -d 20.20.20.30 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth10.500 -d 20.20.20.40 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth10.500 -d 20.20.20.50 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth10.500 -d 20.20.20.60 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth10.500 -d 20.20.20.70 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth10.500 -j NOTRACK
$IPT -t raw -A OUTPUT -o eth10.500 -j NOTRACK
#UPLINK
#eth10.1001 20.20.50.20/29
#Allias for IPTV SRC-NAT
#eth11.4000:1 20.20.20.80/32
$IPT -t raw -A PREROUTING -i eth10.1001 -d 20.20.20.80 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth10.1001 -d 20.20.30.0/24 -j NOTRACK
$IPT -t raw -A PREROUTING -i eth10.1001 -d 20.20.40.0/24 -j NOTRACK
#Unknown
#eth10.3999 172.17.0.1/24
#eth10.3999:1 20.20.60.20/28
$IPT -t raw -A PREROUTING -i eth10.3999 -s 20.20.40.20/28 -j NOTRACK
#Accel
#eth11.4000 171.25.174.254/30
$IPT -t raw -A PREROUTING -i eth11.4000 -d 20.20.20.20 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth11.4000 -d 20.20.20.30 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth11.4000 -d 20.20.20.40 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth11.4000 -d 20.20.20.50 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth11.4000 -d 20.20.20.60 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth11.4000 -d 20.20.20.70 -j ACCEPT
$IPT -t raw -A PREROUTING -i eth11.4000 -j NOTRACK
$IPT -t raw -A OUTPUT -o eth11.4000 -j NOTRACK
Комментарии
Отправить комментарий